CIS Benchmarks: DevOps Guide to Hardening the Cloud

DevOps and cloud computing have become inseparable. But while the cloud began as a development/testing environment primarily – without stringent requirements for security and availability – it has evolved into a mature platform for running production workloads. Moreover, destructive supply chain attacks like SolarWinds and Kaseya have taught us all that development environments should also be secure.

Today, to practice DevOps, you need the cloud, and to avoid disaster you must ensure its security. the Center for Internet Security (CIS) It is a research body that has developed a series of “Standards”, which are essentially manuals for securing the configuration of computing systems. There are CIS standards for all major public fasteners.

Every DevOps professional should be familiar with these standards, and ensure that they apply at least their basic recommendations across development, testing, and production environments.

What are the CIS standards?

The CIS Benchmarks Standards include best practices that can help secure system configuration. CIS Standards are created using a unique consensus-based process that includes cybersecurity professionals and subject matter experts from locations around the world.

Created by a diverse group of volunteer stakeholders, they include experts from academia and government, members of the private community, and various businesses and related industries.

How does this process work?

  • The initial standard development process defines the scope of the standard and leads to discussion.
  • Next, volunteers create and test the process of working drafts.
  • The CIS WorkBench community site allows contributors to create discussion threads to continue the dialogue, until consensus is reached on proposed recommendations and working drafts.
  • Once all collaborators have reached a consensus, they publish the final standard and issue it online.

There are currently more than 100 CIS standards for more than 25 vendor product families. You can download these standards for free in PDF format.

Each CIS Standard contains configuration recommendations divided into two levels:

  • Level 1 Covers basic configurations that are easy to implement and have minimal impact on business functions.
  • Level 2 Designed for a high security environment. Recommendations at this level require more coordination and planning for implementation with minimal business disruption.

CIS Standard Categories Most Applicable to Cloud Environments

  • OS hardeningCover security configurations for core operating systems such as Microsoft Windows, Linux, and Apple OS X. This includes best practice guidelines for restricting local and remote access, user profiles, driver installation protocols, and configuring Internet browsers.
  • server software—Covers security configurations of popular server software such as Microsoft Windows Server, SQL Server, VMware, Docker, and Kubernetes. These standards include recommendations for configuring Kubernetes PKI certificates, API server settings, server management controls, vNetwork policies and storage limits.
  • Cloud provider security—Supports secure configurations of Amazon Web Services (AWS), Microsoft Azure, Google, IBM, and other public clouds. Includes guidance on identity and access configuration (IAM), system logging protocols, network configuration, compliance management, and security automatic scaling and more.
  • portable devicesCovers mobile operating systems such as iOS and Android, focusing on developer options and settings, operating system privacy configuration, browser settings, app permissions and more.

Enhance cloud security with CIS standards

Cloud service providers (CSPs) have changed the way organizations of all sizes design and deploy their IT environments. However, the use of cloud technology also introduces new risks. The CIS Benchmarks Standards provide guidance for organizations to create policies, plan, and manage secure cloud environments.

CIS has released Foundation Benchmarks for all major public cloud environments, including AWS, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, IBM Cloud, and Alibaba Cloud.

Users include system and application administrators, security professionals, auditors, help desks, and DevOps employees who want to develop, deploy, evaluate, or secure cloud solutions or systems.

The CIS Foundations Standards are designed specifically for specific CSPs, but the content of the documentation all have common features. At a minimum, each standard provides guidance on identity and access management (IAM), logging, monitoring, and networking.

Get CIS standards

You can download AWS CIS Benchmark for free by click here. The CIS website provides easy access to all other standards, which you can download in PDF format.

General recommendations from all CIS cloud standards

  • Creates Secure cloud workloads that comply with industry best practices, save and monitor your tested and compliant images to avoid tampering.
  • maybe Cloud control panel for logging in through tools, such as AWS CloudTrail or Google Cloud Operations Suite. Keep track of all API calls made in your cloud service account.
  • initialization Enable cloud-native monitoring and alerting tools for your workloads.
  • maybe Strong authentication for all cloud management interfaces, including web and command line portals.
  • Implement Least privileged identity strategy for various cloud operations roles.
  • maybe Encryption and other data protection measures for cloud storage services.
  • Believe Access to the cloud-native network to reduce access, and ensure that all network activities are monitored.

Consider configuration deviation

The CIS standards are great. But it is not enough. Trying to manually configure each item to a public cloud standard (which typically covers hundreds of pages) isn’t feasible even for the most experienced DevOps professionals. However, there are automated tools, some of which are free and open source, and some of them are commercial solutions, which can automatically configure the cloud according to the standards.

Rather, it is important to take into account the deviation of the composition. The cloud is a very dynamic environment, and what you compose today will disappear tomorrow. To ensure you stay safe, make sure you:

  • Control all processes for creating new workloads and cloud services, and ensure that they enforce security standards.
  • Use cloud-native tools like Infrastructure as Token (IaC) to automate secure configurations – just as you would anything else.
  • Put a configuration monitoring solution in place, such as Cloud Security Mode Manager (CSPM), Cloud Workload Protection Platform (CWPP), or Cloud Security Access Broker (CASB), which can automatically scan and verify secure configurations.

All of this information helps you as you get one step closer to strengthening the DevOps cloud.

Leave a Comment